Escapistmagazine.com still vulnerable to Heartbleed as of yesterday

[Feotakahari]

According to https://zmap.io/heartbleed/ it's one of the most popular unpatched domains left, meaning Heartbleed-based attacks on it could uncover usernames and passwords. Just thought it was worth a heads-up. (Thankfully, I don't use this password for anything where I'd actually care if it got hacked.)

(Off-topic: wow, I had no idea I already had an account here.)

 

[Marter]

I'm ... I'm pretty sure that site is wrong.

Given that Kross posted this on April 10:

There was a recent issue with the <url=http://www.debian.org/security/2014/dsa-2896>Openssl library that resulted in the ability to read random chunks of server memory.

One of our web servers was running https for Expo registration (we did not process any payment info locally) - which means that a (currently theoretical) malicious person with information about this exploit before the world knew about it over the last two years could have read random bits of information that passed through this web server.

This possibly includes email addresses or your site password.

If you are concerned about someone else logging into your account, I would suggest <url=http://keepass.info/download.html>changing your password.

I would also suggest changing your credentials for every site that you have logged into with https over the last two years. The same goes for any encryption that uses "TLS", like many email servers.

If you use the same password here as anywhere else, PLEASE NEVER DO THIS. We are a gaming/news website. While I do my best to protect all of our data, never use the same credentials for important logins like your e-mail/bank/anything that uses money as you do for your chat login / videogames.

Sorry for any inconvenience.

As well as this, in response to one of the other "tests":

That test can't reach our web servers, so I'm not exactly sure what vuln you may have seen from there.

We do have SSL on one server (that the bulk of the site doesn't use), and it has been upgraded.

And

Anything that was in the memory of the one web server that had SSL enabled (out of three, though luckily the one that gets the least traffic) could have been potentially seen.

This would have needed to happen before the vulnerability was published, so there's a very small chance that our site was targeted enough to get anything of interest (compared to all the juicier targets running https). I also block most data centers from accessing the web servers, so many automated scans will fail.

Of course these aren't guarantees for anything, but the chance is extremely slim that anyone who had knowledge of this before the world would have pulled your particular information.

I trust that the <url=http://www.escapistmagazine.com/groups/view/Tech-Team>tech team has taken care of it.

 

[geK0]

I don't really have any sensitive credit info on the Escapist and I use a different password from my other accounts so I'm really not that concerned.